# AI Code Audit Overview
SectionWhat you will findTarget
Create an AI Code AuditPrerequisites and the two-step setup wizard./pages/X4yc23Inhvx1gPKx2AwE
Track Progress and FindingsStatus vocabulary, detail tabs, and how to read findings./pages/P12625XkjR5KcYlJmjTa
What AI Code Audit FindsVulnerability classes covered, plus what still needs a live target./pages/vx7C5jq5oGOUqGbKvpE2
## What is AI Code Audit? AI Code Audit runs pentest-grade security reasoning directly on your source code. You don't need a staging URL, a crawl, or pentest scope setup. Connect a repository, confirm the price in credits, and start the audit. It's a sibling to [Aikido Pentest](/pentests/aikido-pentest.md): same assessment model and issue experience, but repo-focused only. * **Reasoning, not pattern matching.** Our agents understand intent, like cross-tenant data leakage, instead of just spotting that a parameter exists. * **10× cheaper than a pentest.** Pentest-depth reasoning across your entire codebase, in minutes instead of hours — on demand, anytime you want. * **Zero setup, just connect a repo.** No staging environment, no traffic to replay, no agents to deploy. Point it at your source and find your vulnerabilities. * **Mythos-Ready Defense.** Defends against the kind of attacks frontier models now make trivial — reasoning that matches what attackers can do. ## How it works ### Connect repositories You pick the repositories you want audited in the create flow. AI Code Audit only needs source code — no live target, no domains, no auth setup. See [Aikido Never Stores Your Code](/getting-started/setting-up-your-account/aikido-never-stores-your-code.md) for how your source is handled during an audit. ### Agents reason about your code Multiple security agents work through the connected codebases together, chaining context across files to surface architectural and logic flaws that traditional static scanners can't see. ### Read the findings Findings land in the **Issues** tab on the assessment and in your global issue feed, alongside everything else Aikido detects. Each finding includes a summary, root cause, remediation, and code-based **Evidence** — see [Track Progress and Findings](/ai-code-audit/track-progress-and-findings.md) for the full read-out. ## Pricing and credits AI Code Audit is paid for with [Aikido credits](/miscellaneous-info/wallet-and-credits.md). * The **Pricing** step in the create flow shows the exact credit total before you commit. * Cost depends on the size and complexity of the codebases you select. Larger or more sprawling selections cost more. * Credits are charged when you click **Start Audit**. ## AI Code Audit vs Aikido Pentest Both products run the same agentic engine, but they answer different questions. AI Code Audit reasons about your **source code**. Aikido Pentest exercises your **running application**. ### Use AI Code Audit when: * You want **deep code reasoning** on logic and architectural flaws — IDORs, broken access control, multi-step chains — without configuring a live environment. * You **don't have a stable staging or QA target**, or auth flows aren't ready for live testing. * You need a **fast turnaround** with minimal setup: connect a repo, confirm credits, start. * You want to validate **changes in source** before they ship to a **live deployment**. ### Use Aikido Pentest when: * You have a **live target** and want to validate real exploitability with real traffic. * You want **runtime evidence** — reproduction requests, attack-surface mapping, and live agent activity. * Your scope includes **domains, authenticated user roles, and crawl-discovered endpoints** beyond what's visible in source. * You need **follow-up actions** like **Re-test** and **Exploit Further** on validated findings. * You're satisfying **compliance frameworks** like SOC 2 or ISO 27001 that expect a live penetration test. ## FAQ ### How is AI Code Audit different from a SAST scanner? Static scanners flag patterns — a tainted parameter, a risky API call, a missing check. AI Code Audit reasons about intent across your codebase, so it can identify issues that need an attacker's perspective: IDORs, broken access control, multi-step exploit chains, and business logic flaws. It complements your existing [SAST scanning](/code-scanning/scanning-practices/sast-by-aikido-supported-languages-and-security-focus.md) rather than replacing it. ### Why doesn't AI Code Audit need a live URL? AI Code Audit reads and reasons about your source code directly. There's no crawl phase, no traffic replay, and no live exploitation — so there's no environment to point at. If you do want live testing against a deployed target, use [Aikido Pentest](/pentests/aikido-pentest.md) instead. ### Why can't I retest an AI Code Audit finding? **Re-test** and **Exploit Further** are designed for live pentest findings, where Aikido can re-issue requests against your environment. AI Code Audit evidence is code- and reasoning-based, not a live exploit walkthrough, so those actions don't apply. To re-validate, run a new AI Code Audit against the updated code. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.aikido.dev/ai-code-audit/ai-code-audit-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.